Windows Server Update Service Spawning Suspicious Processes

  1[metadata]
  2creation_date = "2025/10/24"
  3integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"]
  4maturity = "production"
  5updated_date = "2025/10/24"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies suspicious processes being spawned by the Windows Server Update Service. This activity may indicate exploitation
 11activity or access to an existing web shell backdoor.
 12"""
 13from = "now-9m"
 14index = [
 15    "logs-endpoint.events.process-*",
 16    "winlogbeat-*",
 17    "logs-windows.sysmon_operational-*",
 18    "endgame-*",
 19    "logs-m365_defender.event-*",
 20    "logs-sentinel_one_cloud_funnel.*",
 21]
 22language = "eql"
 23license = "Elastic License v2"
 24name = "Windows Server Update Service Spawning Suspicious Processes"
 25note = """## Triage and analysis
 26
 27> **Disclaimer**:
 28> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 29
 30### Investigating Windows Server Update Service Spawning Suspicious Processes
 31
 32### Possible investigation steps
 33
 34- Examine the child process details, focusing on the process names and original file names such as cmd.exe, powershell.exe, pwsh.exe, and powershell_ise.exe, to identify any unauthorized or unexpected command-line activity.
 35- Investigate the timeline of events leading up to the alert, including any preceding or subsequent processes, to understand the context and potential impact of the suspicious activity.
 36- Check for any associated network activity or connections initiated by the suspicious processes to identify potential data exfiltration or communication with external command and control servers.
 37- Review recent changes or access logs on the affected  server to identify any unauthorized access attempts or modifications that could indicate exploitation or the presence of a web shell.
 38- Correlate the alert with other security events or logs from data sources like Elastic Endgame, Elastic Defend, Sysmon, Microsoft Defender for Endpoint, or SentinelOne to gather additional context and corroborate findings.
 39- Assess the risk and impact of the detected activity, considering the severity and risk score, and determine appropriate response actions, such as isolating the affected system or conducting a deeper forensic analysis.
 40
 41### False positive analysis
 42
 43- This behavior is rare and should be treated with high suspicion.
 44
 45### Response and remediation
 46
 47- Immediately isolate the affected Server from the network to prevent further unauthorized access or lateral movement.
 48- Terminate any suspicious processes identified as being spawned by w3wp.exe, such as cmd.exe or powershell.exe, to halt any ongoing malicious activity.
 49- Conduct a thorough review of the server's application pools and web directories to identify and remove any unauthorized web shells or scripts.
 50- Restore the server from a known good backup taken before the suspicious activity was detected to ensure system integrity.
 51- Apply the latest security patches and updates to the Server to mitigate known vulnerabilities and prevent exploitation.
 52- Monitor network traffic and server logs for any signs of continued or attempted exploitation, focusing on unusual outbound connections or repeated access attempts.
 53- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems have been compromised."""
 54references = [
 55    "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-59287",
 56    "https://hawktrace.com/blog/CVE-2025-59287"
 57]
 58risk_score = 73
 59rule_id = "1ac027c2-8c60-4715-af73-927b9c219e20"
 60severity = "high"
 61tags = [
 62    "Domain: Endpoint",
 63    "OS: Windows",
 64    "Use Case: Threat Detection",
 65    "Tactic: Initial Access",
 66    "Tactic: Execution",
 67    "Data Source: Elastic Endgame",
 68    "Data Source: Elastic Defend",
 69    "Data Source: Sysmon",
 70    "Data Source: Microsoft Defender for Endpoint",
 71    "Data Source: SentinelOne",
 72    "Resources: Investigation Guide",
 73]
 74timestamp_override = "event.ingested"
 75type = "eql"
 76
 77query = '''
 78process where host.os.type == "windows" and event.type == "start" and
 79  process.name : ("cmd.exe", "powershell.exe", "pwsh.exe", "powershell_ise.exe", "rundll32.exe", "curl.exe") and
 80  (
 81   (process.parent.name : "w3wp.exe" and process.parent.args : "WsusPool") or
 82   process.parent.name : "WsusService.exe"
 83   )
 84'''
 85
 86
 87[[rule.threat]]
 88framework = "MITRE ATT&CK"
 89[[rule.threat.technique]]
 90id = "T1190"
 91name = "Exploit Public-Facing Application"
 92reference = "https://attack.mitre.org/techniques/T1190/"
 93
 94
 95[rule.threat.tactic]
 96id = "TA0001"
 97name = "Initial Access"
 98reference = "https://attack.mitre.org/tactics/TA0001/"
 99[[rule.threat]]
100framework = "MITRE ATT&CK"
101[[rule.threat.technique]]
102id = "T1059"
103name = "Command and Scripting Interpreter"
104reference = "https://attack.mitre.org/techniques/T1059/"
105[[rule.threat.technique.subtechnique]]
106id = "T1059.001"
107name = "PowerShell"
108reference = "https://attack.mitre.org/techniques/T1059/001/"
109
110[[rule.threat.technique.subtechnique]]
111id = "T1059.003"
112name = "Windows Command Shell"
113reference = "https://attack.mitre.org/techniques/T1059/003/"
114
115
116
117[rule.threat.tactic]
118id = "TA0002"
119name = "Execution"
120reference = "https://attack.mitre.org/tactics/TA0002/"